Biggest Cyber Attacks, Data Breaches Ransomware Attacks: February 2024
Date: 4 March 2024
UnitedHealth, Axie Infinity co-founder’s personal accounts, Hewlett Packard Enterprise, AnyDesk, French healthcare payment service providers- Viamedis and Almerys, Integris Health, Schneider Electric, Lurie Children's Hospital, California union, Trans-Northern Pipelines - these are some of the victims of cyber crime in February 2024. Check out our compilation of the Biggest Cyber Attacks, Ransomware Attacks and Data Breaches in February 2024 below.
- Ransomware Attacks in February 2024
- Cyber Attacks in February 2024
- Data Breaches in February 2024
- New Malware and Ransomware Discovered
- Vulnerabilities Discovered and Patches Released
- Advisories issued, reports, analysis etc. in February 2024
We compile these accessible lists summarising recent cyber attacks each month to encourage and enable businesses globally to strengthen their cyber resilience. The ultimate goal is to inform and empower organisations to enhance their preparedness against various cybersecurity threats, including cyber attacks, ransomware incidents, and data breaches.
A critical starting point for improving business cyber resilience is to create an effective and fit-for-purpose Cyber Incident Response Plan and Cyber Incident Response Playbook. Should you require support in reviewing or updating these critical resources, expert cybersecurity consultants such as our Virtual Cyber Assistants are perfect for the task. They help you elevate your cybersecurity maturity within a defined timeline and budget.
It is also imperative that these cybersecurity artefacts are regularly tested and practised to make them a part of your team’s muscle memory. They must be thoroughly acquainted with these plans and should practise decision making for a crisis with regular Cyber Attack Tabletop Exercises.
Building cyber resilience is a continuous endeavour that demands ongoing vigilance and concerted effort to improve cybersecurity preparedness. Although the journey towards enhanced cyber resilience may present challenges, it is indeed attainable with the right approach and resources.
Ransomware Attacks in February 2024
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
February 01 and 28, 2024 |
Lurie Children's Hospital |
Lurie Children's Hospital took systems offline after cyber attack; Rhysida ransomware demands $3.6 million for children’s stolen data |
Rhysida Ransomware |
The cyber attack forced Lurie Children's Hospital to take its IT systems offline as the attack disrupted normal operations and delayed medical care in some instances. The healthcare provider said that the incident impacted the hospital's internet, email, phone services, and ability to access the MyChat platform. |
|
February 08, 2024 |
California union (SEIU 1000) |
California union confirms ransomware attack following LockBit claims |
LockBit Ransomware |
One of the largest unions in California confirmed that it was dealing with network disruptions due to a cyber incident. LockBit ransomware gang said it stole 308 gigabytes of data from the union that included employee Social Security numbers, salary information, financial documents and more. |
|
February 08, 2024 |
Hyundai Motor Europe |
Hyundai Motor Europe hit by Black Basta ransomware attack |
Black Basta Ransomware |
Car maker Hyundai Motor Europe suffered a Black Basta ransomware attack, with the threat actors claiming to have stolen three terabytes of corporate data. An image shared by the threat actors described lists of folders that were allegedly stolen from numerous Windows domains, including those from KIA Europe. |
|
February 11, 2024 |
Hipocrate Information System (HIS) |
Ransomware attack forces 100 Romanian hospitals to go offline |
Unknown |
Out of 100 hospitals, 25 hospitals confirmed to have had their data encrypted by the attackers, and 75 other healthcare facilities using HIS also took their systems offline as a precautionary measure while the incident is being investigated. The Romanian Ministry of Health said the attackers sent a ransom demand of 3.5 BTC (roughly €157,000). |
|
February 11, 2024 |
Fulton County, Georgia |
LockBit claims ransomware attack on Fulton County, Georgia |
LockBit Ransomware |
The LockBit ransomware gang claimed to be behind the recent cyber attack on Fulton County, Georgia, and threatened to publish "confidential" documents if a ransom is not paid. Hackers breached the county’s systems during the last weekend of January, causing widespread IT outages that impacted phone, court, and tax systems. |
|
February 13, 2024 |
Trans-Northern Pipelines |
Trans-Northern Pipelines investigating ALPHV ransomware attack claims |
ALPHV ransomware |
Trans-Northern Pipelines (TNPI) has confirmed its internal network was breached in November 2024 and that it's now investigating claims of data theft made by the ALPHV/BlackCat ransomware gang. The incident impacted a limited number of internal computer systems, and the ransomware gang said its operators stole 183 GB of documents from the company's network. |
|
February 19, 2024 |
Critical infrastructure software maker PSI Software SE |
Critical infrastructure software maker confirms ransomware attack |
Unknown |
PSI Software SE, a German software developer for complex production and logistics processes, has confirmed that it suffered a ransomware attack that impacted its internal infrastructure. The attack forced it to disconnect several IT systems, including email, as a measure to mitigate the risk of data loss. |
|
February 23, 2024 |
Sony subsidiary Insomniac Games |
Insomniac Games alerts employees hit by ransomware data breach |
Rhysida Ransomware |
Sony subsidiary Insomniac Games sent data breach notification letters to employees whose personal information was stolen and leaked online following a ransomware attack in November. In December, Sony said they were investigating the ransomware gang's claims that they breached Insomniac Games and stole over 1.3 million files from its network. After negotiations failed and the game studio refused to pay the $2 million ransom, Rhysida dumped 1.67 TB of documents on its dark web leak site. |
|
February 27, 2024 |
Hessen Consumer Center |
Hessen Consumer Center says its systems were encrypted by ransomware |
Unknown |
The Hessen Consumer Center in Germany has been hit with a ransomware attack, causing IT systems to shut down and temporarily disrupting its availability. |
Cyber Attacks in February 2024
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
February 13, 2024 |
PlayDapp |
Hackers mint 1.79 billion crypto tokens from PlayDapp gaming platform |
Unknown |
Hackers were believed to have used a stolen private key to mint and steal over 1.79 billion PLA tokens, a cryptocurrency used within the PlayDapp ecosystem. An unauthorised wallet, apparently, minted 200 million PLA tokens, valued at the time at $36.5 million, and a blockchain security company PeckShield pointed to the possibility of the attacker using a leaked private key. |
|
February 22, 26, and 28, 2024 |
UnitedHealth |
UnitedHealth confirms Optum hack behind US healthcare billing outage. Ransomware gang claims it stole 6TB of Change Healthcare data |
BlackCat Ransomware |
Healthcare giant UnitedHealth Group confirmed that its subsidiary Optum was forced to shut down IT systems and various services after a cyber attack by “nation-state” hackers on the Change Healthcare platform. In a statement published on their dark web leak site, BlackCat said that they allegedly stole 6TB of data from Change Healthcare's network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc." |
|
February 22, 2024 |
AT&T |
Cell Phone outage hits AT&T customers nationwide; Verizon and T-Mobile users also affected |
Suspected Chinese hackers |
According to Downdetector, tens of thousands of AT&T customers were left without service for hours. |
Cell Phone outage cyber attack on AT&T customers; Verizon and T-Mobile users |
February 22, 2024 |
Change Healthcare |
Change Healthcare responds to cyber attack |
BlackCat ransomware |
Change Healthcare, a Nashville, TN-based provider of healthcare billing and data systems, confirmed that it is dealing with a cyber attack that has caused network disruption. The attack was detected on February 21, 2024, and immediate action was taken to contain the incident and prevent further impact. |
|
February 22, 2024 |
Axie Infinity |
Hackers steal nearly $10 million from Axie Infinity co-founder’s personal accounts |
Unknown |
One of the co-founders of the video game Axie Infinity and the related Ronin Network had nearly $10 million in cryptocurrency stolen from personal accounts. Reports said that wallets allegedly belonging to Jeff “Jihoz” Zirlin were hacked to the tune of 3,248 ethereum coins, or about $9.7 million, and Zirlin confirmed on social media that two of his accounts were compromised. |
|
February 26, 2024 |
Steel producer ThyssenKrupp |
Steel giant ThyssenKrupp confirms cyber attack on automotive division |
Unknown |
Steel giant ThyssenKrupp confirmed that hackers breached systems in its Automotive division, forcing them to shut down IT systems as part of its response and containment effort. |
|
February 26, 2024 |
FCKeditor plugin |
Hackers exploit 14-year-old CMS editor on govt, edu sites for SEO poisoning |
Unknown |
Threat actors exploited a CMS editor discontinued 14 years ago to compromise education and government entities worldwide to poison search results with malicious sites or scams. Some organisations targeted by this campaign allegedly include educational institutions, such as MIT, Columbia University, University of Washington and Purdue amongst others. The campaign also targeted government and corporate sites using the outdated FCKeditor plugin, including Virginia's government site, Texas government site, Spain's government site, and Yellow Pages Canada. |
Data Breaches in February 2024
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
February 01, 2024 |
Cloudflare |
Cloudflare hacked using auth tokens stolen in Okta attack |
Unknown |
Cloudflare disclosed that its internal Atlassian server was breached by a suspected 'nation state attacker' who accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system. The threat actor first gained access to Cloudflare's self-hosted Atlassian server on November 14 and then accessed the company's Confluence and Jira systems following a reconnaissance stage. |
|
February 05, 2024 |
Hewlett Packard Enterprise |
HPE investigates new breach after data for sale on hacking forum |
IntelBroker (BreachForums Name) |
Hewlett Packard Enterprise (HPE) investigated a potential new breach after a threat actor put allegedly stolen data up for sale on a hacking forum, claiming it contains HPE credentials and other sensitive information. The threat actor selling the alleged HPE data, shared screenshots of some of the supposedly stolen HPE credentials but is yet to disclose the source of the information or the method used to obtain it. |
|
February 05, 2024 |
Verizon |
Verizon insider data breach hits over 63,000 employees |
Unknown |
Verizon Communications warned that an insider data breach impacted almost half its workforce, exposing sensitive information of 63,200 employees. A data breach notification shared with the Office of the Maine Attorney General revealed that a Verizon employee gained unauthorised access to a file containing sensitive employee information on September 21, 2024. |
|
February 06, 2024 |
AnyDesk |
AnyDesk says hackers breached its production servers, reset passwords |
Unknown |
AnyDesk confirmed that it suffered a cyber attack that allowed hackers to gain access to the company's production systems and they stole the source code and private code signing keys. |
|
February 06, 2024 |
French healthcare payment service providers, Viamedis and Almerys |
Data breaches at Viamedis and Almerys impact 33 million in France |
Unknown |
The company said the exposure included names, dates of birth, insurer details, social security numbers, marital status, civil status, and guarantees open to third-party payment. The data protection authority in France (CNIL) has now confirmed both data breaches and said that the attacks impacted 33 million people in the country. |
Data breach attack on French healthcare payment service providers |
February 12, 2024 |
Bank of America |
Bank of America warns customers of data breach after vendor hack |
LockBit Ransomware |
Bank of America warned customers of a data breach exposing their personal information after Infosys McCamish Systems (IMS), one of its service providers, was hacked last year. Customers’ personally identifiable information (PII) was exposed in the security breach including the affected individuals' financial information, account and credit card numbers. |
|
February 13, 2024 |
Prudential Financial |
Prudential Financial breached in data theft cyber attack |
ALPHV Ransomware |
Prudential Financial disclosed that its network was breached, with the attackers stealing employee and contractor data before being blocked from compromised systems one day later. Prudential said that the cybercrime group accessed Company administrative and user data from certain information technology systems and a small percentage of Company user accounts associated with employees and contractors. |
|
February 13, 2024 |
Facebook Marketplace |
200,000 Facebook Marketplace user records leaked on hacking forum |
The 'algoatson' Discord handle |
A threat actor leaked 200,000 records on a hacker forum, claiming they contained the mobile phone numbers, email addresses, and other personal information of Facebook Marketplace users. IntelBroker claimed this partial Facebook Marketplace database was stolen by someone using the 'algoatson' Discord handle after hacking the systems of a Meta contractor. |
|
February 13, 2024 |
Integris Health |
Integris Health says data breach impacted 2.4 million patients |
Unknown |
Integris Health reported to U.S. authorities that the data breach it suffered last November exposed personal information belonging to almost 2.4 million people. |
|
February 13, 2024 |
Schneider Electric |
Cactus ransomware claim to steal 1.5 TB of Schneider Electric data |
Cactus Ransomware |
The Cactus ransomware gang claimed they stole 1.5 TB of data from Schneider Electric after breaching the company's network last month. 25MB of the allegedly stolen data was also leaked on the operation's dark web leak site as proof of the threat actor's claims, together with snapshots showing several American citizens' passports and non-disclosure agreement document scans. |
|
February 20, 2024 |
Prince George’s County Public Schools (PGCPS) |
DC-area school system says data of 100,000 people affected in ransomware attack |
Unknown |
Prince George’s County Public Schools (PGCPS) in the Washington, D.C., suburbs said the personal information of nearly 100,000 people was breached by a ransomware gang right before classes started in the fall. According to a regulatory filing, the district school determined that “personal information was included in the potentially impacted data set.” |
Prince George’s County Public Schools data breach |
February 22, 2024 |
Indian immigration department and other government and private organisations from S.Korea, Hong Kong, Kazakhstan, Malaysia, Mongolia, Nepal and Taiwan |
Leaked files from Chinese firm show vast international hacking effort |
Suspected Chinese state-linked hackers |
A trove of leaked documents from a Chinese state-linked hacking group allegedly show that Beijing’s intelligence and military groups are attempting large-scale, systematic cyber intrusions against foreign governments, companies and infrastructure — with hackers of one company claiming to be able to target users of Microsoft, Apple and Google as the cache — containing more than 570 files, images and chat logs — offers an unprecedented look inside the operations of one of the firms that Chinese government agencies hire for on-demand, mass data-collecting operations. |
|
February 22, 2024 |
Indian PMO and EPFO |
Indian authorities investigate data breach concerning PMO and EPFO |
Unknown |
Indian authorities are currently probing reports of a potential data breach implicating sensitive datasets from the Prime Minister’s Office (PMO) and the Employees’ Provident Fund Organisation (EPFO). |
Data breach attack on Indian PMO and EPFO |
February 22, 2024 |
U-Haul |
U-Haul says hacker accessed customer records using stolen credentials |
Unknown |
U-Haul informed customers that a hacker used stolen account credentials to access an internal system for dealers and team members to track customer reservations, and the breach exposed customer records that include personal information but payment details have not been impacted. |
|
February 27, 2024 |
Pharmaceutical player Cencora |
Pharmaceutical giant Cencora says data was stolen in a cyber attack |
Unknown |
Pharmaceutical giant Cencora said they suffered a cyber attack where threat actors stole data from corporate IT systems. The organisation said that data from its information systems had been exfiltrated, some of which may contain personal information. |
|
February 29, 2024 |
Cutout.Pro, an AI-powered photo and video editing platform |
20 million Cutout.Pro user records leaked on data breach forum |
'KryptonZambie' (on the BreachForums) |
AI service Cutout.Pro suffered a data breach exposing the personal information of 20 million members, including email addresses, hashed and salted passwords, IP addresses, and names. A threat actor using the alias 'KryptonZambie' shared a link on BreachForums hacking forum to CSV files containing 5.93 GB of data stolen from Cutout.Pro. |
Data breach attack on an AI-powered photo and video editing platform Cutout.Pro |
February 29, 2024 |
Golden Corral Restaurant |
Golden Corral restaurant chain data breach impacts 183,000 people |
Unknown |
The Golden Corral American restaurant chain disclosed a data breach after attackers behind an August cyber attack stole the personal information of over 180,000 people. In a press release, the company said that attackers had access to its systems between August 11 and August 15 and stole the sensitive data of current and former employees and beneficiaries. |
New Ransomware/Malware Discovered in February 2024
New Malware |
Summary |
Source Link |
new Ov3r_Stealer password-stealing malware |
A new password-stealing malware named Ov3r_Stealer is spreading through fake job advertisements on Facebook, aiming to steal account credentials and cryptocurrency. |
Facebook ads push new Ov3r_Stealer password-stealing malware |
New RustDoor macOS malware |
A new Rust-based macOS malware is spreading as a Visual Studio update to provide backdoor access to compromised systems using infrastructure linked to the infamous ALPHV/BlackCat ransomware gang. |
New RustDoor macOS malware impersonates Visual Studio update |
Raspberry Robin malware |
Check Point highlights that the new Raspberry Robin campaign leverages exploits for CVE-2024-36802, and CVE-2024-29360, two local privilege escalation vulnerabilities in Microsoft Streaming Service Proxy and the Windows TPM Device Driver. |
Raspberry Robin malware evolves with early access to Windows exploits |
Bumblebee malware |
The Bumblebee malware has returned after a four-month vacation, targeting thousands of organisations in the United States in phishing campaigns. |
|
RansomHouse gang’s new MrAgent tool |
The RansomHouse ransomware operation has created a new tool named 'MrAgent' that automates the deployment of its data encryptor across multiple VMware ESXi hypervisors. |
RansomHouse gang automates VMware ESXi attacks with new MrAgent tool |
New TinyTurla-NG malware |
Security researchers have identified and analysed new malware they call TinyTurla-NG and TurlaPower-NG used by the Russian hacker group Turla to maintain access to a target’s network and to steal sensitive data. |
|
New Migo malware |
Security researchers discovered a new campaign that targets Redis servers on Linux hosts using a piece of malware called ‘Migo’ to mine for cryptocurrency. |
New Migo malware disables protection features on Redis servers |
Vulnerabilities/Patches Discovered in February 2024
Date |
New Malware/Flaws/Fixes |
Summary |
Source Link |
February 03, 2024 |
CVE-2024-23832 |
Mastodon, the free and open-source decentralised social networking platform, has fixed a critical vulnerability that allows attackers to impersonate and take over any remote account. |
Mastodon vulnerability allows attackers to take over accounts |
February 04, 2024 |
CVE-2024-21626 CVE-2024-23651 CVE-2024-23652 CVE-2024-23653 |
Four vulnerabilities collectively called "Leaky Vessels" allow hackers to escape containers and access data on the underlying host operating system. |
Leaky Vessels flaws allow hackers to escape Docker, runc containers |
February 06, 2024 |
CVE-2024-23917 |
JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges. |
|
February 06, 2024 |
CVE-2024-40547 |
A critical vulnerability in the Shim Linux bootloader enables attackers to execute code and take control of a target system before the kernel is loaded, bypassing existing security mechanisms. |
Critical flaw in Shim bootloader impacts major Linux distros |
February 07, 2024 |
CVE-2024-23108, CVE-2024-23109, CVE-2024-34992 |
Fortinet warned of two new unpatched patch bypasses for a critical remote code execution vulnerability in FortiSIEM, Fortinet's SIEM solution. |
Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure |
February 07, 2024 |
CVE-2024-20252 and CVE-2024-20254 |
Cisco has patched several vulnerabilities affecting its Expressway Series collaboration gateways, two of them rated as critical severity and exposing vulnerable devices to cross-site request forgery (CSRF) attacks. |
Critical Cisco bug exposes Expressway gateways to CSRF attacks |
February 08, 2024 |
CVE-2024-21762 / FG-IR-24-015 |
Fortinet warned that a new critical remote code execution vulnerability in FortiOS SSL VPN is potentially being exploited in attacks. |
New Fortinet RCE flaw in SSL VPN likely exploited in attacks |
February 12, 2024 |
CVE-2024-43770 |
CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks. |
|
February 14, 2024 |
CVE-2024-24691 |
The Zoom desktop and VDI clients and the Meeting SDK for Windows are vulnerable to an improper input validation flaw that could allow an unauthenticated attacker to conduct privilege escalation on the target system over the network. |
Zoom patches critical privilege elevation flaw in Windows apps |
February 15, 2024 |
CVE-2024-22024, CVE-2024-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888 |
Thousands of Ivanti Connect Secure and Policy Secure endpoints remain vulnerable to multiple security issues first disclosed more than a month ago and which the vendor gradually patched. |
Over 13,000 Ivanti gateways vulnerable to actively exploited bugs |
February 17, 2024 |
CVE-2024-50387 |
A serious vulnerability named KeyTrap in the Domain Name System Security Extensions (DNSSEC) feature could be exploited to deny internet access to applications for an extended period. |
KeyTrap attack: Internet access disrupted with one DNS packet |
February 17, 2024 |
CVE-2024-23476, CVE-2024-23479, CVE-2024-40057 |
SolarWinds has patched five remote code execution (RCE) flaws in its Access Rights Manager (ARM) solution, including three critical severity vulnerabilities that allow unauthenticated exploitation. |
SolarWinds fixes critical RCE bugs in access rights audit solution |
February 27, 2024 |
CVE-2024-1709 |
The Black Basta and Bl00dy ransomware gangs have joined widespread attacks targeting ScreenConnect servers unpatched against a maximum severity authentication bypass vulnerability. |
Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks |
Warnings/Advisories/Reports/Analysis
News Type |
Summary |
Source Link |
Report |
An international law enforcement operation code-named 'Synergia' has taken down over 1,300 command and control servers used in ransomware, phishing, and malware campaigns. |
Interpol operation Synergia takes down 1,300 servers used for cybercrime |
Report |
Secretary of State Antony J. Blinken announced a new visa restriction policy that will enable the Department of State to ban those linked to commercial spyware from entering the United States. |
|
Report |
A threat group named 'ResumeLooters' has stolen the personal data of over two million job seekers after compromising 65 legitimate job listing and retail sites using SQL injection and cross-site scripting (XSS) attacks. |
Hackers steal data of 2 million in SQL injection, XSS attacks |
Warning |
LastPass warned that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. |
|
Report |
South Korean researchers have publicly disclosed an encryption flaw in the Rhysida ransomware encryptor, allowing the creation of a Windows decryptor to recover files for free. |
Free Rhysida ransomware decryptor for Windows exploits RNG flaw |
Report |
Starting March 13th, telecommunications companies must report data breaches impacting customers' personally identifiable information within 30 days, as required by FCC's updated data breach reporting requirements. |
FCC orders telecom carriers to report PII data breaches within 30 days |
Report |
The FBI dismantled the Warzone RAT malware operation, seizing infrastructure and arresting two individuals associated with the cybercrime operation. |
FBI seizes Warzone RAT infrastructure, arrests malware vendor |
Report |
LockBit is supposedly relaunching its ransomware operation on a new infrastructure less than a week after law enforcement hacked its servers. It is threatening to focus more attacks on the government sector. The ransomware gang announced it was resuming the ransomware business and released damage control communication admitting that “personal negligence and irresponsibility” led to law enforcement disrupting its activity in Operation Cronos. |
LockBit ransomware returns, restores servers after police disruption |
Warning |
Russian military hackers are using compromised Ubiquiti EdgeRouters to evade detection, the FBI says in a joint advisory issued with the NSA, the U.S. Cyber Command, and international partners. |
Russian hackers hijack Ubiquiti routers to launch stealthy attacks |
Report |
U.S. President Joe Biden has signed an executive order that aims to ban the bulk sale and transfer of Americans' private data to "countries of concern" such as China, Russia, Iran, North Korea, Cuba, and Venezuela. |
New executive order bans mass sale of personal data to China, Russia |